Incident Response > [T3]: Lab - RITA: Detect DNS tunneling
Detect DNS tunneling
Attackers use this method to communicate
back and forth with their C2 or exfiltrate data, and that is because
DNS traffic is usually allowed traffic through edge firewalls.
This demo will show us how to use RITA to detect C2 communication
over the DNS channel.
Open your terminal, head to
~/Desktop/CCD/RITA/pcap, then execute
the below commands to convert the PCAP into Zeek log format:
- cd ~/Desktop/CCD/RITA/pcap
- mkdir dnscat2_logs
- cd dnscat2_logs/
- zeek -r ../dnscat2_dns_tunneling_24hr.pcap local
- cd ..
This step may take some time, depending on your system, but you
should see something similar to the below screenshot when it ends.
That will result in creating 13 different Zeek log files located in
~/Desktop/CCD/RITA/pcap/dnscat2_logs
We need to import those generated logs
into RITA DB for analysis. Go ahead and execute:
sudo rita import dnscat2_logs
dnscat2
This step will take some time to analyze all exploded DNS traffic.
Now we can use RITA to get the queried
FQDNs and inspect DNS traffic. Open up your terminal and execute the
following:
sudo rita show-beacons-fqdn
dnscat2 -H
sudo rita show-exploded-dns dnscat2 -H | more
As you can see, there is a massive amount
of DNS queries towards cisco-update[.]com
and not even a single HTTP request to the same domain, which is a
good indicator of something fishy.
To dig deeper, we can grep all DNS traffic for the mentioned domain,
and to do this, go ahead and execute:
sudo rita show-exploded-dns
dnscat2 | grep cisco-update.com
You can see multiple DNS requests to the same second-level domain with a randomly generated subdomain to the C2 server.